If you have attended our European Identity and Cloud Conference this May, you have probably noticed that, as opposed to the previous years, a significantly bigger part of the agenda and a substantial number of expo stands has been devoted to practical “down to earth” aspects of IT security. Multifactor authentication, encryption technologies, source code analysis, even backup - many of those topics have been previously looked down upon by strategists as boring tasks for IT engineers.

Well, times have changed. Explosive growth of computing power and networks, continued erosion of enterprise perimeters, development of more and more complicated Advanced Persistent Threats – all these trends are bringing good old Information Security back to the front pages. Before Snowden revelations, not many have given serious thought to encrypted communications. Before Heartbleed, not many people actually knew what “static code analysis” means.

There is however one topic that I personally consider extremely important, which has not received enough limelight in the recent years. This, of source, is Industrial Control System security, more often referred to as SCADA security.

In layman’s terms, SCADA (supervisory control and data acquisition) is a system for monitoring and controlling industrial processes of different kinds. Over decades, SCADA systems have evolved into large-scale systems operating complexes of equipment over large distances. SCADA systems are widely utilized in manufacturing, oil and gas refining, power generation and distribution, water treatment, and also for controlling facilities like heating and air conditioning in buildings or ships. In other words, SCADA systems control a significant part of every nation’s critical infrastructure, which makes them an important target for that nation’s enemies.

Unfortunately, SCADA systems have historically never been designed with security in mind. Early systems were monolithic physically isolated systems without any network connectivity. Later generations were based on proprietary LAN protocols that usually lacked any kind of transport security or authentication. Modern (or I should rather say “current”) SCADA systems have evolved into large-scale decentralized systems with increased number of network connections. They are gradually shifting from proprietary protocols to open standards and becoming increasingly interconnected with office networks and the Internet. Many workstations and human-machine interfaces (HMI) are actually standard Windows PCs often running outdated and unpatched software. Programmable Logic Controllers (PLC), the actual components controlling physical processes, are even more vulnerable, since their software and network protocols historically lack any security. Until recently, both SCADA vendors and enterprises deploying the systems gave little consideration to security issues, more or less relying on security by obscurity.

Discovery of Stuxnet malware in 2010 has shattered that false feeling of safety. A piece of software on a USB drive planted at the Iranian nuclear facility by US and Israeli intelligent services was able to disrupt the PLCs that controlled nuclear material enrichment centrifuges and ultimately physically destroy them. This case was widely publicized four years ago and naturally has led to establishment of standards and guidelines for prevention of such incidents both in the public and private sectors in many countries.

However, it somehow failed to grab the general public’s attention as much as Snowden and Heartbleed did later. Sure, the press regularly reports about new vulnerabilities found in different ICS systems, like this one (from last week!) or this. Check out my favorite quote:

The poor security of such software was revealed by a project Mr Rios and a colleague undertook in which they sought to find 100 Scada bugs in 100 days.

"We ended up finding over 1,000 bugs in 100 days," he said. "Scada software security simply hasn't kept up with modern times. The security of software like iTunes is much more robust than the software supporting our critical infrastructure."

So, what makes SCADA systems so difficult to secure? Many reasons, actually, that require completely different approaches to address them.
  1. As I already mentioned above, current SCADA systems have evolved into distributed systems based on open network standards and commodity software, so they are theoretically vulnerable to the same attack vectors as other corporate networks. However, their design has historically never addressed security and identity issues at all.
  2. Although many components of SCADA systems run Windows, standard endpoint protection solutions are not particularly suitable for them, because even a minor latency spike caused by malware database update may lead to a disruption of the manufacturing process. Addressing process continuity in anti-malware software requires substantial changes in its logic.
  3. Traditional detection and blocking techniques are obviously not applicable for specialized systems like PLCs. Development of specialized solutions for their protection requires tight collaboration with PLC vendors. The same is true for integration with existing control and monitoring modules of SCADA systems.
  4. The newest trend in SCADA development is following the current trends in IT in general: growing adoption of Cloud services, introducing the “Internet of Things” approach to system design, etc. This leads to rapid growth of complexity, since number of modules and connections between them increases exponentially. Of course, this enables even more new attack vectors.
  5. Growing political tensions between both developed countries and global terrorist organizations mean that critical infrastructures will more likely to become targets of cyber-attacks with expected catastrophic outcomes.
Security experts have been talking about doomsday scenarios as a consequence of a possible attack on a power grid or a chemical plant. Luckily, until now there predictions have never materialized, but the poor state of ICS security still makes them the proverbial sword of Damocles hanging over our heads. Statistics clearly show that the number and the level of sophistication of attacks on ICS is steadily increasing.

Yes, until now we have not experienced a successful cyber-attack on a critical infrastructure that would lead to an industrial disaster with human casualties. But can we be sure that it won’t happen tomorrow? Not really. Luckily, both government organizations and security vendors are already working on different approaches to address this threat – both in short-term and long-term perspectives. And I firmly believe that EIC could be a good meeting place for these specialists to discuss this topic. Maybe, next year already?

If you’re looking for more information on this topic, check out these KuppingerCole’s published research documents: